Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33858

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 21 hours ago

Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.

References

Affected products

apache-airflow

<3.2.0

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

nixos-unstable 3.1.7
- nixpkgs-unstable 3.1.7
- nixos-unstable-small 3.1.7
nixos-25.11 2.7.3
- nixos-25.11-small 2.7.3
- nixpkgs-25.11-darwin 2.7.3

Package maintainers

@bhipple Benjamin Hipple <bhipple@protonmail.com>
@gbpdt Graham Bennett <nix@pdtpartners.com>
@ingenieroariel Ariel Nunez <ariel@nunez.co>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.apache-airflow

Package maintainers